03-08-2020 01:54 AM
Hello all,
New to the forums and the Cisco ASA 5506-X.
I have tried to create a Public Server using
ASDM --> Configuration --> Firewall --> Public Server
I had no errors in the creation phase.
I then tried to test using the command:
packet-tracer input outside tcp 192.168.1.16 http 10.0.0.12 http detailed
but i get the following error:
(acl-drop) Flow is denied by configured rule
in detail, the answer was the following:
Result of the command: "packet-tracer input outside tcp 192.168.1.16 http 10.0.0.12 http detailed" Phase: 1 Type: CP-PUNT Subtype: l2-selective Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f10bb004df0, priority=13, domain=punt, deny=false hits=6744, user_data=0x7f10bb51ea40, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=outside, output_ifc=any Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x7f10ba9e6ab0, priority=1, domain=permit, deny=false hits=6654, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=outside, output_ifc=any Phase: 3 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.0.0.12 using egress ifc inside Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside_access in interface outside access-list outside_access extended permit tcp any4 object dmz_in eq www Additional Information: Forward Flow based lookup yields rule: in id=0x7f10ba5c9f70, priority=13, domain=permit, deny=false hits=10, user_data=0x7f10b30c64c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=10.0.0.12, mask=255.255.255.255, port=80, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f10b9a5d360, priority=0, domain=nat-per-session, deny=false hits=4080, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f10bb516e50, priority=0, domain=inspect-ip-options, deny=true hits=3042, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 7 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside_access in interface outside access-list outside_access extended permit tcp any4 object dmz_in eq www Additional Information: Forward Flow based lookup yields rule: in id=0x7f10ba5c9f70, priority=13, domain=permit, deny=false hits=11, user_data=0x7f10b30c64c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=10.0.0.12, mask=255.255.255.255, port=80, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 8 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f10b9a5d360, priority=0, domain=nat-per-session, deny=false hits=4081, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 9 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f10bb516e50, priority=0, domain=inspect-ip-options, deny=true hits=3043, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 10 Type: NAT Subtype: rpf-check Result: DROP Config: object network dmz_in nat (inside_1,outside) static dmz_out Additional Information: Forward Flow based lookup yields rule: out id=0x7f10bb65a2a0, priority=6, domain=nat-reverse, deny=false hits=6, user_data=0x7f10ba46f9a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=10.0.0.12, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=inside_1 Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
the asa configuration is as follows:
Result of the command: "sh run" : Saved : : Serial Number: JAD23491DFL : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.8(2) ! hostname ciscoasa enable password $sha512$5000$YF7WGccVhZL32TZ5JIVyzw==$Ce6xmlZRIG/9w+0h+1LTtg== pbkdf2 names ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address dhcp setroute ! interface GigabitEthernet1/2 bridge-group 1 nameif inside_1 security-level 100 ! interface GigabitEthernet1/3 bridge-group 1 nameif inside_2 security-level 100 ! interface GigabitEthernet1/4 bridge-group 1 nameif inside_3 security-level 100 ! interface GigabitEthernet1/5 bridge-group 1 nameif inside_4 security-level 100 ! interface GigabitEthernet1/6 bridge-group 1 nameif inside_5 security-level 100 ! interface GigabitEthernet1/7 bridge-group 1 nameif inside_6 security-level 100 ! interface GigabitEthernet1/8 bridge-group 1 nameif inside_7 security-level 100 ! interface Management1/1 management-only no nameif no security-level no ip address ! interface BVI1 nameif inside security-level 100 ip address 10.0.0.1 255.255.255.0 ! ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 same-security-traffic permit inter-interface object network obj_any1 subnet 0.0.0.0 0.0.0.0 object network obj_any2 subnet 0.0.0.0 0.0.0.0 object network obj_any3 subnet 0.0.0.0 0.0.0.0 object network obj_any4 subnet 0.0.0.0 0.0.0.0 object network obj_any5 subnet 0.0.0.0 0.0.0.0 object network obj_any6 subnet 0.0.0.0 0.0.0.0 object network obj_any7 subnet 0.0.0.0 0.0.0.0 object network dmz_in host 10.0.0.12 description dmz_in object network dmz_out host 192.168.1.40 description dmz_out access-list outside_access extended permit tcp any4 object dmz_in eq www pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside_1 1500 mtu inside_2 1500 mtu inside_3 1500 mtu inside_4 1500 mtu inside_5 1500 mtu inside_6 1500 mtu inside_7 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 ! object network obj_any1 nat (inside_1,outside) dynamic interface object network obj_any2 nat (inside_2,outside) dynamic interface object network obj_any3 nat (inside_3,outside) dynamic interface object network obj_any4 nat (inside_4,outside) dynamic interface object network obj_any5 nat (inside_5,outside) dynamic interface object network obj_any6 nat (inside_6,outside) dynamic interface object network obj_any7 nat (inside_7,outside) dynamic interface object network dmz_in nat (inside_1,outside) static dmz_out access-group outside_access in interface outside timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication login-history http server enable http 10.0.0.0 255.255.255.0 inside_1 http 10.0.0.0 255.255.255.0 inside_2 http 10.0.0.0 255.255.255.0 inside_3 http 10.0.0.0 255.255.255.0 inside_4 http 10.0.0.0 255.255.255.0 inside_5 http 10.0.0.0 255.255.255.0 inside_6 http 10.0.0.0 255.255.255.0 inside_7 no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpool policy crypto ca certificate chain _SmartCallHome_ServerCA certificate ca ......... quit telnet timeout 5 ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd auto_config outside ! dhcpd address 10.0.0.5-10.0.0.254 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context service call-home call-home reporting anonymous call-home contact-email-addr aferrara.avvisi@gmail.com profile CiscoTAC-1 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:b11b3962c3121dc7612713d95c49d0af : end
can you help me?
Thanks.
03-10-2020 12:39 PM
Hi Salim,
unfortunately it doesn't work.
Looking at the log I found this:
Routing failed to locate next hop for TCP from outside:192.168.1.16/53064 to inside_1:192.168.1.40/80
Hope it can help you understand the problem.
Thanks.
03-10-2020 01:15 PM
check your email drop you a message.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide